isabelle: doc-src/TutorialI/IsarOverview/Isar/document/intro.tex@61a23a43b783 (annotated)

13619 584291949c23 * empty log message * nipkow parents: diff changeset	1	\section{Introduction}
584291949c23 * empty log message * nipkow parents: diff changeset	2
584291949c23 * empty log message * nipkow parents: diff changeset	3	Isar is an extension of Isabelle with structured proofs in a stylized
584291949c23 * empty log message * nipkow parents: diff changeset	4	language of mathematics. These proofs are readable for both a human
584291949c23 * empty log message * nipkow parents: diff changeset	5	and a machine. This document is a very compact introduction to
584291949c23 * empty log message * nipkow parents: diff changeset	6	structured proofs in Isar/HOL, an extension of
584291949c23 * empty log message * nipkow parents: diff changeset	7	Isabelle/HOL~\cite{LNCS2283}. We intentionally do not present the full
584291949c23 * empty log message * nipkow parents: diff changeset	8	language but concentrate on the essentials. Neither do we give a
584291949c23 * empty log message * nipkow parents: diff changeset	9	formal semantics of Isar. Instead we introduce Isar by example. Again
584291949c23 * empty log message * nipkow parents: diff changeset	10	this is intentional: we believe that the language ``speaks for
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	11	itself'' in the same way that traditional mathematical proofs do, which
13619 584291949c23 * empty log message * nipkow parents: diff changeset	12	are also introduced by example rather than by teaching students logic
584291949c23 * empty log message * nipkow parents: diff changeset	13	first. A detailed exposition of Isar can be found in Markus Wenzel's
584291949c23 * empty log message * nipkow parents: diff changeset	14	PhD thesis~\cite{Wenzel-PhD} and the Isar reference
584291949c23 * empty log message * nipkow parents: diff changeset	15	manual~\cite{Isar-Ref-Man}.
584291949c23 * empty log message * nipkow parents: diff changeset	16
584291949c23 * empty log message * nipkow parents: diff changeset	17	\subsection{Background}
584291949c23 * empty log message * nipkow parents: diff changeset	18
584291949c23 * empty log message * nipkow parents: diff changeset	19	Interactive theorem proving has been dominated by a model of proof
584291949c23 * empty log message * nipkow parents: diff changeset	20	that goes back to the LCF system~\cite{LCF}: a proof is a more or less
584291949c23 * empty log message * nipkow parents: diff changeset	21	structured sequence of commands that manipulate an implicit proof
584291949c23 * empty log message * nipkow parents: diff changeset	22	state. Thus the proof text is only suitable for the machine; for a
584291949c23 * empty log message * nipkow parents: diff changeset	23	human, the proof only comes alive when he can see the state changes
584291949c23 * empty log message * nipkow parents: diff changeset	24	caused by the stepwise execution of the commands. Such proofs are like
584291949c23 * empty log message * nipkow parents: diff changeset	25	uncommented assembly language programs. We call them
584291949c23 * empty log message * nipkow parents: diff changeset	26	\emph{tactic-style} proofs because LCF proof commands were called
584291949c23 * empty log message * nipkow parents: diff changeset	27	tactics.
584291949c23 * empty log message * nipkow parents: diff changeset	28
584291949c23 * empty log message * nipkow parents: diff changeset	29	A radically different approach was taken by the Mizar
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	30	system~\cite{Rudnicki92} where proofs are written in a stylized language akin
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	31	to that used in ordinary mathematics texts. The most important argument in
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	32	favour of a mathematics-like proof language is communication: as soon as not
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	33	just the theorem but also the proof becomes an object of interest, it should
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	34	be readable. From a system development point of view there is a second
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	35	important argument against tactic-style proofs: they are much harder to
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	36	maintain when the system is modified. The reason is as follows. Since it is
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	37	usually quite unclear what exactly is proved at some point in the middle of a
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	38	command sequence, updating a failed proof often requires executing the proof
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	39	up to the point of failure using the old version of the system. In contrast,
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	40	mathematics-like proofs contain enough information to tell you what is proved
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	41	at any point.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	42
584291949c23 * empty log message * nipkow parents: diff changeset	43	For these reasons the Isabelle system, originally firmly in the
584291949c23 * empty log message * nipkow parents: diff changeset	44	LCF-tradition, was extended with a language for writing structured
584291949c23 * empty log message * nipkow parents: diff changeset	45	proofs in a mathematics-like style. As the name already indicates,
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	46	Isar was certainly inspired by Mizar. However, there are many
13619 584291949c23 * empty log message * nipkow parents: diff changeset	47	differences. For a start, Isar is generic: only a few of the language
584291949c23 * empty log message * nipkow parents: diff changeset	48	constructs described below are specific to HOL; many are generic and
584291949c23 * empty log message * nipkow parents: diff changeset	49	thus available for any logic defined in Isabelle, e.g.\ ZF.
584291949c23 * empty log message * nipkow parents: diff changeset	50	Furthermore, we have Isabelle's powerful automatic proof procedures at
584291949c23 * empty log message * nipkow parents: diff changeset	51	our disposal. A closer comparison of Isar and Mizar can be found
584291949c23 * empty log message * nipkow parents: diff changeset	52	elsewhere~\cite{WenzelW-JAR}.
584291949c23 * empty log message * nipkow parents: diff changeset	53
584291949c23 * empty log message * nipkow parents: diff changeset	54	Finally, a word of warning for potential writers of Isar proofs. It
584291949c23 * empty log message * nipkow parents: diff changeset	55	has always been easier to write obscure rather than readable texts.
584291949c23 * empty log message * nipkow parents: diff changeset	56	Similarly, tactic-style proofs are often (though by no means always!)
584291949c23 * empty log message * nipkow parents: diff changeset	57	easier to write than readable ones: structure does not emerge
584291949c23 * empty log message * nipkow parents: diff changeset	58	automatically but needs to be understood and imposed. If the precise
584291949c23 * empty log message * nipkow parents: diff changeset	59	structure of the proof is not clear from the beginning, it can be
584291949c23 * empty log message * nipkow parents: diff changeset	60	useful to start in a tactic-based style for exploratory purposes until
584291949c23 * empty log message * nipkow parents: diff changeset	61	one has found a proof which can then be converted into a structured
584291949c23 * empty log message * nipkow parents: diff changeset	62	text in a second step. Top down conversion is possible because Isar
584291949c23 * empty log message * nipkow parents: diff changeset	63	allows tactic-style proofs as components of structured ones.
584291949c23 * empty log message * nipkow parents: diff changeset	64
584291949c23 * empty log message * nipkow parents: diff changeset	65	\subsection{A first glimpse of Isar}
584291949c23 * empty log message * nipkow parents: diff changeset	66
584291949c23 * empty log message * nipkow parents: diff changeset	67	Below you find a simplified grammar for Isar proofs.
584291949c23 * empty log message * nipkow parents: diff changeset	68	Parentheses are used for grouping and $^?$ indicates an optional item:
584291949c23 * empty log message * nipkow parents: diff changeset	69	\begin{center}
584291949c23 * empty log message * nipkow parents: diff changeset	70	\begin{tabular}{lrl}
584291949c23 * empty log message * nipkow parents: diff changeset	71	\emph{proof} & ::= & \isakeyword{proof} \emph{method}$^?$
584291949c23 * empty log message * nipkow parents: diff changeset	72	\emph{statement}*
584291949c23 * empty log message * nipkow parents: diff changeset	73	\isakeyword{qed} \\
584291949c23 * empty log message * nipkow parents: diff changeset	74	&$\mid$& \isakeyword{by} \emph{method}\\[1ex]
584291949c23 * empty log message * nipkow parents: diff changeset	75	\emph{statement} &::= & \isakeyword{fix} \emph{variables} \\
584291949c23 * empty log message * nipkow parents: diff changeset	76	&$\mid$& \isakeyword{assume} \emph{propositions} \\
584291949c23 * empty log message * nipkow parents: diff changeset	77	&$\mid$& (\isakeyword{from} \emph{facts})$^?$
584291949c23 * empty log message * nipkow parents: diff changeset	78	(\isakeyword{show} $\mid$ \isakeyword{have})
584291949c23 * empty log message * nipkow parents: diff changeset	79	\emph{propositions} \emph{proof} \\[1ex]
584291949c23 * empty log message * nipkow parents: diff changeset	80	\emph{proposition} &::=& (\emph{label}{\bf:})$^?$ \emph{string} \\[1ex]
584291949c23 * empty log message * nipkow parents: diff changeset	81	\emph{fact} &::=& \emph{label}
584291949c23 * empty log message * nipkow parents: diff changeset	82	\end{tabular}
584291949c23 * empty log message * nipkow parents: diff changeset	83	\end{center}
584291949c23 * empty log message * nipkow parents: diff changeset	84	A proof can be either compound (\isakeyword{proof} --
584291949c23 * empty log message * nipkow parents: diff changeset	85	\isakeyword{qed}) or atomic (\isakeyword{by}). A \emph{method} is a
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	86	proof method (tactic) offered by the underlying theorem prover.
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	87	Thus this grammar is generic both w.r.t.\ the logic and the theorem prover.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	88
584291949c23 * empty log message * nipkow parents: diff changeset	89	This is a typical proof skeleton:
584291949c23 * empty log message * nipkow parents: diff changeset	90	\begin{center}
584291949c23 * empty log message * nipkow parents: diff changeset	91	\begin{tabular}{@{}ll}
584291949c23 * empty log message * nipkow parents: diff changeset	92	\isakeyword{proof}\\
584291949c23 * empty log message * nipkow parents: diff changeset	93	\hspace*{3ex}\isakeyword{assume} \isa{"}\emph{the-assm}\isa{"}\\
584291949c23 * empty log message * nipkow parents: diff changeset	94	\hspace*{3ex}\isakeyword{have} \isa{"}\dots\isa{"} & --- intermediate result\\
584291949c23 * empty log message * nipkow parents: diff changeset	95	\hspace*{3ex}\vdots\\
584291949c23 * empty log message * nipkow parents: diff changeset	96	\hspace*{3ex}\isakeyword{have} \isa{"}\dots\isa{"} & --- intermediate result\\
584291949c23 * empty log message * nipkow parents: diff changeset	97	\hspace*{3ex}\isakeyword{show} \isa{"}\emph{the-concl}\isa{"}\\
584291949c23 * empty log message * nipkow parents: diff changeset	98	\isakeyword{qed}
584291949c23 * empty log message * nipkow parents: diff changeset	99	\end{tabular}
584291949c23 * empty log message * nipkow parents: diff changeset	100	\end{center}
584291949c23 * empty log message * nipkow parents: diff changeset	101	It proves \emph{the-assm}~$\Longrightarrow$~\emph{the-concl}. Text starting with
584291949c23 * empty log message * nipkow parents: diff changeset	102	``---'' is a comment. The intermediate \isakeyword{have}s are only
584291949c23 * empty log message * nipkow parents: diff changeset	103	there to bridge the gap between the assumption and the conclusion and
584291949c23 * empty log message * nipkow parents: diff changeset	104	do not contribute to the theorem being proved. In contrast,
584291949c23 * empty log message * nipkow parents: diff changeset	105	\isakeyword{show} establishes the conclusion of the theorem.
584291949c23 * empty log message * nipkow parents: diff changeset	106
584291949c23 * empty log message * nipkow parents: diff changeset	107	\subsection{Bits of Isabelle}
584291949c23 * empty log message * nipkow parents: diff changeset	108
584291949c23 * empty log message * nipkow parents: diff changeset	109	In order to make this paper self-contained we recall some basic
584291949c23 * empty log message * nipkow parents: diff changeset	110	notions and notation from Isabelle~\cite{LNCS2283}. Isabelle's
584291949c23 * empty log message * nipkow parents: diff changeset	111	meta-logic offers an implication $\Longrightarrow$ and a universal quantifier $\bigwedge$
584291949c23 * empty log message * nipkow parents: diff changeset	112	for expressing inference rules and generality. Iterated implications
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	113	$A_1 \Longrightarrow \dots A_n \Longrightarrow A$ may be abbreviated to $[\![ A_1; \dots; A_n
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	114	]\!] \Longrightarrow A$. Applying a theorem $A \Longrightarrow B$ (named \isa{T}) to a theorem
13619 584291949c23 * empty log message * nipkow parents: diff changeset	115	$A$ (named \isa{U}) is written \isa{T[OF U]} and yields theorem $B$.
584291949c23 * empty log message * nipkow parents: diff changeset	116
584291949c23 * empty log message * nipkow parents: diff changeset	117	Isabelle terms are simply typed. Function types are
584291949c23 * empty log message * nipkow parents: diff changeset	118	written $\tau_1 \Rightarrow \tau_2$.
584291949c23 * empty log message * nipkow parents: diff changeset	119
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	120	Free variables that may be instantiated (``logical variables'' in Prolog
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	121	parlance) are prefixed with a \isa{?}. Typically, theorems are stated with
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	122	ordinary free variables but after the proof those are automatically replaced
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	123	by \isa{?}-variables. Thus the theorem can be used with arbitrary instances
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	124	of its free variables.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	125
584291949c23 * empty log message * nipkow parents: diff changeset	126	Isabelle/HOL offers all the usual logical symbols like $\longrightarrow$, $\land$,
584291949c23 * empty log message * nipkow parents: diff changeset	127	$\forall$ etc. Proof methods include \isa{rule} (which performs a backwards
584291949c23 * empty log message * nipkow parents: diff changeset	128	step with a given rule, unifying the conclusion of the rule with the
584291949c23 * empty log message * nipkow parents: diff changeset	129	current subgoal and replacing the subgoal by the premises of the
584291949c23 * empty log message * nipkow parents: diff changeset	130	rule), \isa{simp} (for simplification) and \isa{blast} (for predicate
584291949c23 * empty log message * nipkow parents: diff changeset	131	calculus reasoning).
584291949c23 * empty log message * nipkow parents: diff changeset	132
584291949c23 * empty log message * nipkow parents: diff changeset	133	\subsection{Overview of the paper}
584291949c23 * empty log message * nipkow parents: diff changeset	134
584291949c23 * empty log message * nipkow parents: diff changeset	135	The rest of the paper is divided into two parts.
584291949c23 * empty log message * nipkow parents: diff changeset	136	Section~\ref{sec:Logic} introduces proofs in pure logic based on
584291949c23 * empty log message * nipkow parents: diff changeset	137	natural deduction. Section~\ref{sec:Induct} is dedicated to induction,
584291949c23 * empty log message * nipkow parents: diff changeset	138	the key reasoning principle for computer science applications.
584291949c23 * empty log message * nipkow parents: diff changeset	139
13620 61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	140	There are at least two further areas where Isar provides specific support,
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	141	but which we do not document here. Reasoning by chains of (in)equations is
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	142	described elsewhere~\cite{BauerW-TPHOLs01}. Reasoning about axiomatically
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	143	defined structures by means of so called ``locales'' was first described in
61a23a43b783 * empty log message * nipkow parents: 13619 diff changeset	144	\cite{KWP-TPHOLs99} but has evolved much since then.
13619 584291949c23 * empty log message * nipkow parents: diff changeset	145
584291949c23 * empty log message * nipkow parents: diff changeset	146	Do not be mislead by the simplicity of the formulae being proved,
584291949c23 * empty log message * nipkow parents: diff changeset	147	especially in the beginning. Isar has been used very successfully in
584291949c23 * empty log message * nipkow parents: diff changeset	148	large applications, for example the formalization of Java, in
584291949c23 * empty log message * nipkow parents: diff changeset	149	particular the verification of the bytecode verifier~\cite{KleinN-TCS}.

author	nipkow
	Wed, 02 Oct 2002 15:26:07 +0200
changeset 13620	61a23a43b783
parent 13619	584291949c23
child 13765	e3c444e805c4
permissions	-rw-r--r--